CVE-2026-44473 ellanetworks CVE debrief

Who should care

Organizations operating private 5G networks using Ella Core, telecommunications security teams, mobile network operators deploying private network slices, and security researchers analyzing 5G core implementations

Technical summary

Ella Core versions prior to 1.10.0 contain a missing authorization vulnerability in NGAP message handling. The PDUSessionResourceSetupResponse handler does not verify that messages arrive on the SCTP association corresponding to the UE's logical NG-connection identified by the AMF-UE-NGAP-ID. An attacker with a valid NG Setup can inject forged responses, causing the core to establish GTP tunnels to the attacker's radio. This violates the expected binding between UE identity and transport association, enabling traffic interception or denial of service. The fix in 1.10.0 adds proper SCTP association validation.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Ella Core to version 1.10.0 or later to obtain the fix for SCTP association validation
• Review network segmentation to restrict radio access to authorized SCTP associations
• Monitor GTP tunnel establishment logs for anomalous patterns indicating potential exploitation
• Validate that NGAP message handling enforces binding between UE contexts and their originating SCTP associations

Evidence notes

The CVE description and GitHub Security Advisory (GHSA-qfxw-v8qx-vj3v) confirm the vulnerability mechanism: missing SCTP association validation during PDUSessionResourceSetupResponse processing. CVSS 3.1 vector AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H yields a base score of 7.1 (HIGH). CWE-358 (Improperly Implemented Security Check for Standard) and CWE-863 (Incorrect Authorization) are identified as root causes.

Official resources